From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-2259-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 37DAE1396D9
	for <garchives@archives.gentoo.org>; Mon, 23 Oct 2017 01:40:28 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4A5E52BC04A;
	Mon, 23 Oct 2017 01:39:56 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 7745C2BC003
	for <gentoo-announce@lists.gentoo.org>; Mon, 23 Oct 2017 01:39:43 +0000 (UTC)
Received: from localhost.localdomain (pool-108-48-108-145.washdc.fios.verizon.net [108.48.108.145])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: bman)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 61D4133BEC7
	for <gentoo-announce@lists.gentoo.org>; Mon, 23 Oct 2017 01:39:42 +0000 (UTC)
From: Aaron Bauman <bman@gentoo.org>
To: gentoo-announce@lists.gentoo.org
Reply-To: security@gentoo.org
Subject: [gentoo-announce] [ GLSA 201710-26 ] OpenJPEG: Multiple vulnerabilities
Date: Sun, 22 Oct 2017 21:39:39 -0400
Message-ID: <2578740.rZSGAur8cN@localhost.localdomain>
Organization: Gentoo
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2761657.PAl17ce4AH"; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Archives-Salt: 7d7d1f19-28bf-4366-aa38-44a9a236fc23
X-Archives-Hash: 357002a8752e6d0747cf3ebf7ae27d5d

--nextPart2761657.PAl17ce4AH
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201710-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: OpenJPEG: Multiple vulnerabilities
     Date: October 23, 2017
     Bugs: #602180, #606618, #628504, #629372, #629668, #630120
       ID: 201710-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in OpenJPEG, the worst of
which may allow remote attackers to execute arbitrary code.

Background
==========

OpenJPEG is an open-source JPEG 2000 library.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  media-libs/openjpeg         < 2.3.0:2                 >= 2.3.0:2 

Description
===========

Multiple vulnerabilities have been discovered in OpenJPEG. Please
review the references below for details.

Impact
======

A remote attacker, via a crafted BMP, PDF, or j2k document, could
execute arbitrary code, cause a Denial of Service condition, or have
other unspecified impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenJPEG users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-libs/openjpeg-2.3.0:2"

References
==========

[  1 ] CVE-2016-10504
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10504
[  2 ] CVE-2016-10505
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10505
[  3 ] CVE-2016-10506
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10506
[  4 ] CVE-2016-10507
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10507
[  5 ] CVE-2016-1626
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1626
[  6 ] CVE-2016-1628
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1628
[  7 ] CVE-2016-9112
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9112
[  8 ] CVE-2016-9113
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9113
[  9 ] CVE-2016-9114
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9114
[ 10 ] CVE-2016-9115
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9115
[ 11 ] CVE-2016-9116
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9116
[ 12 ] CVE-2016-9117
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9117
[ 13 ] CVE-2016-9118
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9118
[ 14 ] CVE-2016-9572
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9572
[ 15 ] CVE-2016-9573
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9573
[ 16 ] CVE-2016-9580
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9580
[ 17 ] CVE-2016-9581
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9581
[ 18 ] CVE-2017-12982
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12982
[ 19 ] CVE-2017-14039
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14039
[ 20 ] CVE-2017-14164
       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14164

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201710-26

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
--nextPart2761657.PAl17ce4AH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlntSFsACgkQpRQw84X1
dt3Xdgf+NqTTEWN5U8VJQT4vrjWrumrGhABpXbmjYOAyBiXl8xW6zKDF9KPgeP6v
CZJEsQVSM1nMeZ6DUZCG4n6Cei56mdtH+Tt+/miZKQUz5cKOD0XM6L04qzovRWsr
nsG9jaJxOb/4PKZKLTpXYKnOWc5syjcnm2a+UZnehBRe0PX8Him4uHbbBYxeKBbt
o4XldfNQPAUIk1/PlPw8ZprXOTePnBzV7gg+bn+y1By1URvbtZhC1bF/u+AiuX8w
MYU9tbQxmgBtXzkHf7kAg07xO3cZRrIFlnVTvs1AWl7TzNAQ6DvhUEfWCVQjafXq
D7dCcfEV68VmVWcNSowE2kDU6nj+3g==
=cPMT
-----END PGP SIGNATURE-----

--nextPart2761657.PAl17ce4AH--